Date: Sun, 4 May 2003 09:28:19 +0300 From: "Mihail Balikov" <misho@interbgc.com> To: <freebsd-ipfw@freebsd.org> Subject: Re: src-limit trouble Message-ID: <002601c31206$5ab1a080$9bf212d9@interbgc.com> References: <Pine.BSI.4.40.0305021452430.17519-100000@buratino.peterlink.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
this happens when you have more than one rule with "limit" . I have small patch for 4.7 regards, Mihail Balikov ----- Original Message ----- From: <maxes@peterlink.ru> To: <freebsd-ipfw@freebsd.org> Sent: Friday, May 02, 2003 8:44 PM Subject: src-limit trouble > > I use ipfw2 with dynamic rule like this: > ipdw add 50 count tcp from any to me dst-port 8000-8005,80 setup limit src-addr 20 > > 1) > In my case, command "ipfw -d sh" can show some "LIMIT" rule without > corresponding "PARENT" rule, for example: > ipfw -d sh | grep remote.ip > 00050 9 861 (62s) LIMIT tcp remote.ip 19098 <-> me.ip 80 > > It's full output, I repeat - no corresponding PARENT rule. > > 2) > If net.inet.ip.fw.dyn_keepalive=1, then > on host accumulated FIN_WAIT_2 connections. > For example: > netstat -an | grep WAIT_2 | wc -l > 2178 > > This FIN_WAIT_2 connection live very long period - 1-1.5 month. > But if set "sysctl -w net.inet.ip.fw.dyn_keepalive=0 " > then after (as minimum 5 min = dyn_ack_lifetime ) number of FIN_WAIT_2 > connections decrease to "normal" - 20-40. I set MSL to 7500. > > Question is: > Why live single LIMIT rule whithout PARENT ? > Why this connection not closed ? > In FreeBSD FIN_WAIT_2 has timer - after 2*MSL (30 sec in > my case) this connection would be closed, isn't ? But with keep-alive > this connection's show in netstat, show in ipfw rules. > > b.r. > Kozin Maxim > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002601c31206$5ab1a080$9bf212d9>